How to delete Win32.Sasser.B - Removal tool, fix instructions

Name: Win32.Sasser.B

Aliases: Sasser.B, W32/Sasser.B.worm

Type: Worm

Size: -

First appeared on: 01.05.2004

Damage: Medium

Brief Description: Sasser.B is a worm that spreads itselfs through vulnerable systems affected by the LSASS exploit (MS04-011).

Sasser.B creates a copy of itself in the windows directory named AVSERVE2.EXE.

It also creates the following registry entry to ensure it is launched when the system is booted:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run

avserve2exe = %windir%\avserve2exe

Sasser.B exploits the LSASS vulnerability to access the remote systems. More information about this exploit is available in the following URL:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm uses 128 threads to scan random IP addresses. If the conection through port TCP 445 succeeds, the worm will check if the system is vulnerable. If it is, Sasser will open a shell through port TCP 9996 and will force an FTP conetion through port TCP 5554 to download the worm to the vulnerable system. The copy of the worm downloaded will be named %number%_up.exe, where %number% is a random number. On the other hand, the vulnerability will use a buffer overflow to make the LSASS.EXE application crash. This might lead to a system crash.

Visible Symptoms:

When first run W32/Sasser-B copies itself to the Windows folder as avserve2.exe and creates the following registry entry, so that avserve2.exe is run automatically each time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
avserve2.exe = %WINDOWS%\avserve2.exe

A harmless text file is created in the C:\ root folder named win2.log.

Technical description:

Propagation:

Sasser.B follows the routine below:

Sasser.B exploits the LSASS vulnerability to access the remote systems. More information about this exploit is available in the following URL:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

The worm uses 128 threads to scan random IP addresses. If the conection through port TCP 445 succeeds, the worm will check if the system is vulnerable. If it is, Sasser will open a shell through port TCP 9996 and will force an FTP conetion through port TCP 5554 to download the worm to the vulnerable system. The copy of the worm downloaded will be named %number%_up.exe, where %number% is a random number. On the other hand, the vulnerability will use a buffer overflow to make the LSASS.EXE application crash. This might lead to a system crash.

Removal tool and instruction:
Download removal tool from F-Secure